mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-04-12 23:04:33 +00:00
ci: Add runtime-rs GPU shims to NVIDIA GPU CI workflow
Add qemu-nvidia-gpu-runtime-rs and qemu-nvidia-gpu-snp-runtime-rs to the NVIDIA GPU test matrix so CI covers the new runtime-rs shims. Introduce a `coco` boolean field in each matrix entry and use it for all CoCo-related conditionals (KBS, snapshotter, KBS deploy/cleanup steps). This replaces fragile name-string comparisons that were already broken for the runtime-rs variants: `nvidia-gpu (runtime-rs)` was incorrectly getting KBS steps, and `nvidia-gpu-snp (runtime-rs)` was not getting the right env vars. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com> Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
This commit is contained in:
Fabiano Fidêncio
@@ -37,8 +37,10 @@ jobs:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
environment: [
|
||||
{ name: nvidia-gpu, vmm: qemu-nvidia-gpu, runner: amd64-nvidia-a100 },
|
||||
{ name: nvidia-gpu-snp, vmm: qemu-nvidia-gpu-snp, runner: amd64-nvidia-h100-snp },
|
||||
{ name: nvidia-gpu, vmm: qemu-nvidia-gpu, runner: amd64-nvidia-a100, coco: false },
|
||||
{ name: nvidia-gpu-runtime-rs, vmm: qemu-nvidia-gpu-runtime-rs, runner: amd64-nvidia-a100, coco: false },
|
||||
{ name: nvidia-gpu-snp, vmm: qemu-nvidia-gpu-snp, runner: amd64-nvidia-h100-snp, coco: true },
|
||||
{ name: nvidia-gpu-snp-runtime-rs, vmm: qemu-nvidia-gpu-snp-runtime-rs, runner: amd64-nvidia-h100-snp, coco: true },
|
||||
]
|
||||
runs-on: ${{ matrix.environment.runner }}
|
||||
env:
|
||||
@@ -48,9 +50,9 @@ jobs:
|
||||
GH_PR_NUMBER: ${{ inputs.pr-number }}
|
||||
KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
|
||||
KUBERNETES: kubeadm
|
||||
KBS: ${{ matrix.environment.name == 'nvidia-gpu-snp' && 'true' || 'false' }}
|
||||
SNAPSHOTTER: ${{ matrix.environment.name == 'nvidia-gpu-snp' && 'nydus' || '' }}
|
||||
USE_EXPERIMENTAL_SNAPSHOTTER_SETUP: ${{ matrix.environment.name == 'nvidia-gpu-snp' && 'true' || 'false' }}
|
||||
KBS: ${{ matrix.environment.coco && 'true' || 'false' }}
|
||||
SNAPSHOTTER: ${{ matrix.environment.coco && 'nydus' || '' }}
|
||||
USE_EXPERIMENTAL_SNAPSHOTTER_SETUP: ${{ matrix.environment.coco && 'true' || 'false' }}
|
||||
K8S_TEST_HOST_TYPE: baremetal
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
@@ -75,12 +77,12 @@ jobs:
|
||||
run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
|
||||
|
||||
- name: Uninstall previous `kbs-client`
|
||||
if: matrix.environment.name != 'nvidia-gpu'
|
||||
if: matrix.environment.coco
|
||||
timeout-minutes: 10
|
||||
run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
|
||||
|
||||
- name: Deploy CoCo KBS
|
||||
if: matrix.environment.name != 'nvidia-gpu'
|
||||
if: matrix.environment.coco
|
||||
timeout-minutes: 10
|
||||
run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
|
||||
env:
|
||||
@@ -88,7 +90,7 @@ jobs:
|
||||
KBS_INGRESS: nodeport
|
||||
|
||||
- name: Install `kbs-client`
|
||||
if: matrix.environment.name != 'nvidia-gpu'
|
||||
if: matrix.environment.coco
|
||||
timeout-minutes: 10
|
||||
run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
|
||||
|
||||
@@ -127,7 +129,7 @@ jobs:
|
||||
run: bash tests/integration/kubernetes/gha-run.sh cleanup
|
||||
|
||||
- name: Delete CoCo KBS
|
||||
if: always() && matrix.environment.name != 'nvidia-gpu'
|
||||
if: always() && matrix.environment.coco
|
||||
timeout-minutes: 10
|
||||
run: |
|
||||
bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
|
||||
|
||||
@@ -691,7 +691,7 @@ function helm_helper() {
|
||||
# HELM_SHIMS is a space-separated list of shim names
|
||||
# Enable each shim and set supported architectures
|
||||
# TEE shims that need defaults unset (will be set based on env vars)
|
||||
tee_shims="qemu-se qemu-se-runtime-rs qemu-cca qemu-snp qemu-snp-runtime-rs qemu-tdx qemu-tdx-runtime-rs qemu-coco-dev qemu-coco-dev-runtime-rs qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx"
|
||||
tee_shims="qemu-se qemu-se-runtime-rs qemu-cca qemu-snp qemu-snp-runtime-rs qemu-tdx qemu-tdx-runtime-rs qemu-coco-dev qemu-coco-dev-runtime-rs qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx qemu-nvidia-gpu-snp-runtime-rs qemu-nvidia-gpu-tdx-runtime-rs"
|
||||
|
||||
for shim in ${HELM_SHIMS}; do
|
||||
# Determine supported architectures based on shim name
|
||||
@@ -705,7 +705,7 @@ function helm_helper() {
|
||||
yq -i ".shims.${shim}.enabled = true" "${values_yaml}"
|
||||
yq -i ".shims.${shim}.supportedArches = [\"arm64\"]" "${values_yaml}"
|
||||
;;
|
||||
qemu-snp|qemu-snp-runtime-rs|qemu-tdx|qemu-tdx-runtime-rs|qemu-nvidia-gpu-snp|qemu-nvidia-gpu-tdx)
|
||||
qemu-snp|qemu-snp-runtime-rs|qemu-tdx|qemu-tdx-runtime-rs|qemu-nvidia-gpu-snp|qemu-nvidia-gpu-tdx|qemu-nvidia-gpu-snp-runtime-rs|qemu-nvidia-gpu-tdx-runtime-rs)
|
||||
yq -i ".shims.${shim}.enabled = true" "${values_yaml}"
|
||||
yq -i ".shims.${shim}.supportedArches = [\"amd64\"]" "${values_yaml}"
|
||||
;;
|
||||
@@ -717,7 +717,7 @@ function helm_helper() {
|
||||
yq -i ".shims.${shim}.enabled = true" "${values_yaml}"
|
||||
yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"s390x\"]" "${values_yaml}"
|
||||
;;
|
||||
qemu-nvidia-gpu)
|
||||
qemu-nvidia-gpu|qemu-nvidia-gpu-runtime-rs)
|
||||
yq -i ".shims.${shim}.enabled = true" "${values_yaml}"
|
||||
yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"arm64\"]" "${values_yaml}"
|
||||
;;
|
||||
|
||||
@@ -10,7 +10,7 @@ source "${BATS_TEST_DIRNAME}/../../common.bash"
|
||||
|
||||
load "${BATS_TEST_DIRNAME}/confidential_kbs.sh"
|
||||
|
||||
SUPPORTED_GPU_TEE_HYPERVISORS=("qemu-nvidia-gpu-snp" "qemu-nvidia-gpu-tdx")
|
||||
SUPPORTED_GPU_TEE_HYPERVISORS=("qemu-nvidia-gpu-snp" "qemu-nvidia-gpu-tdx" "qemu-nvidia-gpu-snp-runtime-rs" "qemu-nvidia-gpu-tdx-runtime-rs")
|
||||
SUPPORTED_TEE_HYPERVISORS=("qemu-snp" "qemu-snp-runtime-rs" "qemu-tdx" "qemu-se" "qemu-se-runtime-rs" "${SUPPORTED_GPU_TEE_HYPERVISORS[@]}")
|
||||
SUPPORTED_NON_TEE_HYPERVISORS=("qemu-coco-dev" "qemu-coco-dev-runtime-rs")
|
||||
|
||||
|
||||
@@ -187,7 +187,7 @@ function deploy_kata() {
|
||||
|
||||
# Workaround to avoid modifying the workflow yaml files
|
||||
case "${KATA_HYPERVISOR}" in
|
||||
qemu-tdx|qemu-snp|qemu-snp-runtime-rs|qemu-nvidia-gpu-*)
|
||||
qemu-tdx|qemu-snp|qemu-snp-runtime-rs|qemu-nvidia-gpu-tdx*|qemu-nvidia-gpu-snp*)
|
||||
USE_EXPERIMENTAL_SETUP_SNAPSHOTTER=true
|
||||
SNAPSHOTTER="nydus"
|
||||
EXPERIMENTAL_FORCE_GUEST_PULL=false
|
||||
|
||||
@@ -182,6 +182,13 @@ setup_file() {
|
||||
export POD_EMBEDQA_YAML_IN="${pod_config_dir}/${POD_NAME_EMBEDQA}.yaml.in"
|
||||
export POD_EMBEDQA_YAML="${pod_config_dir}/${POD_NAME_EMBEDQA}.yaml"
|
||||
|
||||
# runtime-rs does not support trusted storage yet, so use alternative
|
||||
# TEE templates without emptyDir/PVC volumes and higher memory.
|
||||
if is_runtime_rs && [[ "${TEE}" = "true" ]]; then
|
||||
export POD_INSTRUCT_YAML_IN="${pod_config_dir}/${POD_NAME_INSTRUCT}-no-trusted-storage.yaml.in"
|
||||
export POD_EMBEDQA_YAML_IN="${pod_config_dir}/${POD_NAME_EMBEDQA}-no-trusted-storage.yaml.in"
|
||||
fi
|
||||
|
||||
dpkg -s jq >/dev/null 2>&1 || sudo apt -y install jq
|
||||
|
||||
setup_langchain_flow
|
||||
@@ -198,27 +205,29 @@ setup_file() {
|
||||
# file and BEFORE auto_generate_policy() runs.
|
||||
create_nim_initdata_file "${policy_settings_dir}/default-initdata.toml"
|
||||
|
||||
# Container image layer storage: one block device and PV/PVC per pod.
|
||||
storage_config_template="${pod_config_dir}/confidential/trusted-storage.yaml.in"
|
||||
if ! is_runtime_rs; then
|
||||
# Container image layer storage: one block device and PV/PVC per pod.
|
||||
storage_config_template="${pod_config_dir}/confidential/trusted-storage.yaml.in"
|
||||
|
||||
instruct_storage_mib=57344
|
||||
local_device_instruct=$(create_loop_device /tmp/trusted-image-storage-instruct.img "$instruct_storage_mib")
|
||||
storage_config_instruct=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${storage_config_template}").instruct.XXX")
|
||||
PV_NAME=trusted-block-pv-instruct PVC_NAME=trusted-pvc-instruct \
|
||||
PV_STORAGE_CAPACITY="${instruct_storage_mib}Mi" PVC_STORAGE_REQUEST="${instruct_storage_mib}Mi" \
|
||||
LOCAL_DEVICE="$local_device_instruct" NODE_NAME="$node" \
|
||||
envsubst < "$storage_config_template" > "$storage_config_instruct"
|
||||
retry_kubectl_apply "$storage_config_instruct"
|
||||
instruct_storage_mib=57344
|
||||
local_device_instruct=$(create_loop_device /tmp/trusted-image-storage-instruct.img "$instruct_storage_mib")
|
||||
storage_config_instruct=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${storage_config_template}").instruct.XXX")
|
||||
PV_NAME=trusted-block-pv-instruct PVC_NAME=trusted-pvc-instruct \
|
||||
PV_STORAGE_CAPACITY="${instruct_storage_mib}Mi" PVC_STORAGE_REQUEST="${instruct_storage_mib}Mi" \
|
||||
LOCAL_DEVICE="$local_device_instruct" NODE_NAME="$node" \
|
||||
envsubst < "$storage_config_template" > "$storage_config_instruct"
|
||||
retry_kubectl_apply "$storage_config_instruct"
|
||||
|
||||
if [ "${SKIP_MULTI_GPU_TESTS}" != "true" ]; then
|
||||
embedqa_storage_mib=8192
|
||||
local_device_embedqa=$(create_loop_device /tmp/trusted-image-storage-embedqa.img "$embedqa_storage_mib")
|
||||
storage_config_embedqa=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${storage_config_template}").embedqa.XXX")
|
||||
PV_NAME=trusted-block-pv-embedqa PVC_NAME=trusted-pvc-embedqa \
|
||||
PV_STORAGE_CAPACITY="${embedqa_storage_mib}Mi" PVC_STORAGE_REQUEST="${embedqa_storage_mib}Mi" \
|
||||
LOCAL_DEVICE="$local_device_embedqa" NODE_NAME="$node" \
|
||||
envsubst < "$storage_config_template" > "$storage_config_embedqa"
|
||||
retry_kubectl_apply "$storage_config_embedqa"
|
||||
if [ "${SKIP_MULTI_GPU_TESTS}" != "true" ]; then
|
||||
embedqa_storage_mib=8192
|
||||
local_device_embedqa=$(create_loop_device /tmp/trusted-image-storage-embedqa.img "$embedqa_storage_mib")
|
||||
storage_config_embedqa=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${storage_config_template}").embedqa.XXX")
|
||||
PV_NAME=trusted-block-pv-embedqa PVC_NAME=trusted-pvc-embedqa \
|
||||
PV_STORAGE_CAPACITY="${embedqa_storage_mib}Mi" PVC_STORAGE_REQUEST="${embedqa_storage_mib}Mi" \
|
||||
LOCAL_DEVICE="$local_device_embedqa" NODE_NAME="$node" \
|
||||
envsubst < "$storage_config_template" > "$storage_config_embedqa"
|
||||
retry_kubectl_apply "$storage_config_embedqa"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
@@ -490,7 +499,7 @@ teardown_file() {
|
||||
[ -f "${POD_EMBEDQA_YAML}" ] && kubectl delete -f "${POD_EMBEDQA_YAML}" --ignore-not-found=true
|
||||
fi
|
||||
|
||||
if [[ "${TEE}" = "true" ]]; then
|
||||
if [[ "${TEE}" = "true" ]] && ! is_runtime_rs; then
|
||||
kubectl delete --ignore-not-found pvc trusted-pvc-instruct trusted-pvc-embedqa
|
||||
kubectl delete --ignore-not-found pv trusted-block-pv-instruct trusted-block-pv-embedqa
|
||||
kubectl delete --ignore-not-found storageclass local-storage
|
||||
|
||||
@@ -14,7 +14,12 @@ source "${kubernetes_dir}/../../common.bash"
|
||||
|
||||
# Enable NVRC trace logging for NVIDIA GPU runtime via drop-in config
|
||||
enable_nvrc_trace() {
|
||||
local config_dir="/opt/kata/share/defaults/kata-containers/runtimes/${KATA_HYPERVISOR}/config.d"
|
||||
local kata_config_base="/opt/kata/share/defaults/kata-containers"
|
||||
case "${KATA_HYPERVISOR}" in
|
||||
*-runtime-rs) kata_config_base="${kata_config_base}/runtime-rs" ;;
|
||||
esac
|
||||
|
||||
local config_dir="${kata_config_base}/runtimes/${KATA_HYPERVISOR}/config.d"
|
||||
local drop_in_file="${config_dir}/90-nvrc-trace.toml"
|
||||
local kernel_params_drop_in="${config_dir}/30-kernel-params.toml"
|
||||
|
||||
@@ -30,7 +35,7 @@ enable_nvrc_trace() {
|
||||
if [[ -f "${kernel_params_drop_in}" ]]; then
|
||||
base_params=$(grep -E '^kernel_params\s*=' "${kernel_params_drop_in}" | sed 's/^kernel_params\s*=\s*"\(.*\)"/\1/' || true)
|
||||
else
|
||||
local runtime_config="/opt/kata/share/defaults/kata-containers/runtimes/${KATA_HYPERVISOR}/configuration-${KATA_HYPERVISOR}.toml"
|
||||
local runtime_config="${kata_config_base}/runtimes/${KATA_HYPERVISOR}/configuration-${KATA_HYPERVISOR}.toml"
|
||||
if [[ -f "${runtime_config}" ]]; then
|
||||
base_params=$(grep -E '^kernel_params\s*=' "${runtime_config}" | sed 's/^kernel_params\s*=\s*"\(.*\)"/\1/' || true)
|
||||
fi
|
||||
@@ -93,7 +98,7 @@ else
|
||||
"k8s-nvidia-nim-service.bats")
|
||||
fi
|
||||
|
||||
SUPPORTED_HYPERVISORS=("qemu-nvidia-gpu" "qemu-nvidia-gpu-snp" "qemu-nvidia-gpu-tdx")
|
||||
SUPPORTED_HYPERVISORS=("qemu-nvidia-gpu" "qemu-nvidia-gpu-snp" "qemu-nvidia-gpu-tdx" "qemu-nvidia-gpu-runtime-rs" "qemu-nvidia-gpu-snp-runtime-rs" "qemu-nvidia-gpu-tdx-runtime-rs")
|
||||
export KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu-nvidia-gpu}"
|
||||
# shellcheck disable=SC2076 # intentionally use literal string matching
|
||||
if [[ ! " ${SUPPORTED_HYPERVISORS[*]} " =~ " ${KATA_HYPERVISOR} " ]]; then
|
||||
|
||||
@@ -0,0 +1,98 @@
|
||||
# Copyright (c) 2025 NVIDIA Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# TEE variant without trusted storage support (e.g. for runtime-rs which
|
||||
# does not yet implement block-encrypted emptyDir or trusted PVC).
|
||||
# Uses higher memory to compensate for the lack of offloaded storage.
|
||||
#
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: ${POD_NAME_INSTRUCT}
|
||||
labels:
|
||||
app: ${POD_NAME_INSTRUCT}
|
||||
annotations:
|
||||
# Start CDH process and configure AA for KBS communication
|
||||
# aa_kbc_params tells the Attestation Agent where KBS is located
|
||||
io.katacontainers.config.hypervisor.kernel_params: "agent.guest_components_procs=confidential-data-hub agent.aa_kbc_params=cc_kbc::${CC_KBS_ADDR}"
|
||||
# cc_init_data annotation will be added by genpolicy with CDH configuration
|
||||
# from the custom default-initdata.toml created by create_nim_initdata_file()
|
||||
spec:
|
||||
# Explicit user/group/supplementary groups to support nydus guest-pull.
|
||||
# See issue https://github.com/kata-containers/kata-containers/issues/11162 and
|
||||
# other references to this issue in the genpolicy source folder.
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
supplementalGroups: [4, 20, 24, 25, 27, 29, 30, 44, 46]
|
||||
restartPolicy: Never
|
||||
runtimeClassName: kata
|
||||
imagePullSecrets:
|
||||
- name: ngc-secret-instruct
|
||||
containers:
|
||||
- name: ${POD_NAME_INSTRUCT}
|
||||
image: nvcr.io/nim/meta/llama-3.1-8b-instruct:1.13.1
|
||||
# Ports exposed by the container:
|
||||
ports:
|
||||
- containerPort: 8000
|
||||
name: http-openai
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /v1/health/live
|
||||
port: http-openai
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 1
|
||||
successThreshold: 1
|
||||
failureThreshold: 3
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /v1/health/ready
|
||||
port: http-openai
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 1
|
||||
successThreshold: 1
|
||||
failureThreshold: 3
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /v1/health/ready
|
||||
port: http-openai
|
||||
initialDelaySeconds: 360
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 1
|
||||
successThreshold: 1
|
||||
failureThreshold: 30
|
||||
env:
|
||||
- name: NGC_API_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ngc-api-key-sealed-instruct
|
||||
key: api-key
|
||||
# GPU resource limit (for NVIDIA GPU)
|
||||
resources:
|
||||
limits:
|
||||
nvidia.com/pgpu: "1"
|
||||
cpu: "16"
|
||||
memory: "128Gi"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: ngc-secret-instruct
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
data:
|
||||
.dockerconfigjson: ${DOCKER_CONFIG_JSON}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: ngc-api-key-sealed-instruct
|
||||
type: Opaque
|
||||
data:
|
||||
# Sealed secret pointing to kbs:///default/ngc-api-key/instruct
|
||||
# CDH will unseal this by fetching the actual key from KBS
|
||||
api-key: "${NGC_API_KEY_SEALED_SECRET_INSTRUCT_BASE64}"
|
||||
@@ -0,0 +1,107 @@
|
||||
# Copyright (c) 2025 NVIDIA Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# TEE variant without trusted storage support (e.g. for runtime-rs which
|
||||
# does not yet implement block-encrypted emptyDir or trusted PVC).
|
||||
# Uses higher memory to compensate for the lack of offloaded storage.
|
||||
#
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: ${POD_NAME_EMBEDQA}
|
||||
labels:
|
||||
app: ${POD_NAME_EMBEDQA}
|
||||
annotations:
|
||||
# Start CDH process and configure AA for KBS communication
|
||||
# aa_kbc_params tells the Attestation Agent where KBS is located
|
||||
io.katacontainers.config.hypervisor.kernel_params: "agent.guest_components_procs=confidential-data-hub agent.aa_kbc_params=cc_kbc::${CC_KBS_ADDR}"
|
||||
# cc_init_data annotation will be added by genpolicy with CDH configuration
|
||||
# from the custom default-initdata.toml created by create_nim_initdata_file()
|
||||
spec:
|
||||
# Explicit user/group/supplementary groups to support nydus guest-pull.
|
||||
# See issue https://github.com/kata-containers/kata-containers/issues/11162 and
|
||||
# other references to this issue in the genpolicy source folder.
|
||||
securityContext:
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
fsGroup: 1000
|
||||
restartPolicy: Always
|
||||
runtimeClassName: kata
|
||||
serviceAccountName: default
|
||||
imagePullSecrets:
|
||||
- name: ngc-secret-embedqa
|
||||
containers:
|
||||
- name: ${POD_NAME_EMBEDQA}
|
||||
image: nvcr.io/nim/nvidia/llama-3.2-nv-embedqa-1b-v2:1.10.1
|
||||
imagePullPolicy: IfNotPresent
|
||||
env:
|
||||
- name: NGC_API_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ngc-api-key-sealed-embedqa
|
||||
key: api-key
|
||||
- name: NIM_HTTP_API_PORT
|
||||
value: "8000"
|
||||
- name: NIM_JSONL_LOGGING
|
||||
value: "1"
|
||||
- name: NIM_LOG_LEVEL
|
||||
value: "INFO"
|
||||
ports:
|
||||
- containerPort: 8000
|
||||
name: http
|
||||
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /v1/health/live
|
||||
port: 8000
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 1
|
||||
successThreshold: 1
|
||||
failureThreshold: 3
|
||||
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /v1/health/ready
|
||||
port: 8000
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 10
|
||||
successThreshold: 1
|
||||
failureThreshold: 3
|
||||
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /v1/health/ready
|
||||
port: 8000
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 1
|
||||
successThreshold: 1
|
||||
failureThreshold: 180
|
||||
|
||||
resources:
|
||||
limits:
|
||||
nvidia.com/pgpu: "1"
|
||||
cpu: "16"
|
||||
memory: "48Gi"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: ngc-secret-embedqa
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
data:
|
||||
.dockerconfigjson: ${DOCKER_CONFIG_JSON}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: ngc-api-key-sealed-embedqa
|
||||
type: Opaque
|
||||
data:
|
||||
# Sealed secret pointing to kbs:///default/ngc-api-key/embedqa
|
||||
# CDH will unseal this by fetching the actual key from KBS
|
||||
api-key: "${NGC_API_KEY_SEALED_SECRET_EMBEDQA_BASE64}"
|
||||
@@ -82,7 +82,7 @@ auto_generate_policy_enabled() {
|
||||
|
||||
is_coco_platform() {
|
||||
case "${KATA_HYPERVISOR}" in
|
||||
"qemu-tdx"|"qemu-snp"|"qemu-snp-runtime-rs"|"qemu-coco-dev"|"qemu-coco-dev-runtime-rs"|"qemu-nvidia-gpu-tdx"|"qemu-nvidia-gpu-snp")
|
||||
"qemu-tdx"|"qemu-snp"|"qemu-snp-runtime-rs"|"qemu-coco-dev"|"qemu-coco-dev-runtime-rs"|"qemu-nvidia-gpu-tdx"|"qemu-nvidia-gpu-snp"|"qemu-nvidia-gpu-tdx-runtime-rs"|"qemu-nvidia-gpu-snp-runtime-rs")
|
||||
return 0
|
||||
;;
|
||||
*)
|
||||
|
||||
Reference in New Issue
Block a user